diff -Nru ghostscript-9.19~dfsg+1/debian/changelog ghostscript-9.19~dfsg+1/debian/changelog --- ghostscript-9.19~dfsg+1/debian/changelog 2017-05-15 18:46:44.000000000 +0000 +++ ghostscript-9.19~dfsg+1/debian/changelog 2017-08-25 13:19:44.000000000 +0000 @@ -1,3 +1,36 @@ +ghostscript (9.19~dfsg+1-0ubuntu7.6) zesty-security; urgency=medium + + * SECURITY UPDATE: DoS via crafted files + - debian/patches/CVE-2017-11714.patch: prevent to reloc + a freed object in psi/ztoken.c. + - CVE-2017-11714 + * SECURITY UPDATE: DoS in Artifex Ghostscript + - debian/patches/CVE-2017-9611.patch: bounds check pointer in + base/ttinterp.c + - CVE-2017-9611 + * SECURITY UPDATE: DoS in Artifex Ghostscript + - debian/patches/CVE-2017-9612.patch: bounds check pointer in + base/ttinterp.c + - CVE-2017-9612 + * SECURITY UPDATE: DoS heap-based buffer over-read and crash + - debian/patches/CVE-2017-9726.patch: bounds check zone pointer + in base/ttinterp.c. + - CVE-2017-9726 + * SECURITY UPDATE: DoS heap-based buffer over-read and crash + - debian/patches/CVE-2017-9727.patch: make bounds check in + base/gxttfb.c. + - CVE-2017-9727 + * SECURITY UPDATE: DoS heap-based buffer over-read and crash + - debian/patches/CVE-2017-9739.patch: bounds check in + base/ttinterp.c. + - CVE-2017-9739 + * SECURITY UPDATE: DoS heap-base buffer over-read and crash + - debian/patches/CVE-2017-9835.patch: bounds check the array + allocations methods in base/gsalloc.c. + - CVE-2017-9835 + + -- Leonidas S. Barbosa Fri, 25 Aug 2017 10:19:44 -0300 + ghostscript (9.19~dfsg+1-0ubuntu7.4) zesty-security; urgency=medium * REGRESSION UPDATE: Fix for CVE-2017-8291 broke pstoedit when using diff -Nru ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-11714.patch ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-11714.patch --- ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-11714.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-11714.patch 2017-08-24 16:38:25.000000000 +0000 @@ -0,0 +1,53 @@ +From 671fd59eb657743aa86fbc1895cb15872a317caa Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Thu, 6 Jul 2017 14:54:02 +0100 +Subject: [PATCH 1/1] Bug 698158: prevent trying to reloc a freed object + +In the token reader, we pass the scanner state structure around as a +t_struct ref on the Postscript operand stack. + +But we explicitly free the scanner state when we're done, which leaves a +dangling reference on the operand stack and, unless that reference gets +overwritten before the next garbager run, we can end up with the garbager +trying to deal with an already freed object - that can cause a crash, or +memory corruption. +--- + psi/ztoken.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/psi/ztoken.c b/psi/ztoken.c +index 4dba7c5..af1ceeb 100644 +--- a/psi/ztoken.c ++++ b/psi/ztoken.c +@@ -107,6 +107,12 @@ token_continue(i_ctx_t *i_ctx_p, scanner_state * pstate, bool save) + int code; + ref token; + ++ /* Since we might free pstate below, and we're dealing with ++ * gc memory referenced by the stack, we need to explicitly ++ * remove the reference to pstate from the stack, otherwise ++ * the garbager will fall over ++ */ ++ make_null(osp); + /* Note that gs_scan_token may change osp! */ + pop(1); /* remove the file or scanner state */ + again: +@@ -183,8 +189,14 @@ ztokenexec_continue(i_ctx_t *i_ctx_p) + static int + tokenexec_continue(i_ctx_t *i_ctx_p, scanner_state * pstate, bool save) + { +- os_ptr op; ++ os_ptr op = osp; + int code; ++ /* Since we might free pstate below, and we're dealing with ++ * gc memory referenced by the stack, we need to explicitly ++ * remove the reference to pstate from the stack, otherwise ++ * the garbager will fall over ++ */ ++ make_null(osp); + /* Note that gs_scan_token may change osp! */ + pop(1); + again: +-- +2.9.1 + diff -Nru ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9611.patch ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9611.patch --- ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9611.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9611.patch 2017-08-24 16:39:13.000000000 +0000 @@ -0,0 +1,23 @@ +From c7c55972758a93350882c32147801a3485b010fe Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Mon, 12 Jun 2017 13:08:40 +0100 +Subject: [PATCH] Bug 698024: bounds check zone pointer in Ins_MIRP() + +--- + base/ttinterp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: ghostscript-9.19~dfsg+1/base/ttinterp.c +=================================================================== +--- ghostscript-9.19~dfsg+1.orig/base/ttinterp.c ++++ ghostscript-9.19~dfsg+1/base/ttinterp.c +@@ -3856,7 +3856,8 @@ static int nInstrCount=0; + /* XXX: UNDOCUMENTED! cvt[-1] = 0 always */ + + if ( BOUNDS( args[0], CUR.zp1.n_points ) || +- BOUNDS( args[1]+1, CUR.cvtSize+1 ) ) ++ BOUNDS( args[1]+1, CUR.cvtSize+1 ) || ++ BOUNDS(CUR.GS.rp0, CUR.zp0.n_points) ) + { + CUR.error = TT_Err_Invalid_Reference; + return; diff -Nru ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9612.patch ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9612.patch --- ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9612.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9612.patch 2017-08-24 16:39:39.000000000 +0000 @@ -0,0 +1,24 @@ +From 98f6da60b9d463c617e631fc254cf6d66f2e8e3c Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Mon, 12 Jun 2017 13:15:17 +0100 +Subject: [PATCH] Bug 698026: bounds check zone pointers in Ins_IP() + +--- + base/ttinterp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +Index: ghostscript-9.19~dfsg+1/base/ttinterp.c +=================================================================== +--- ghostscript-9.19~dfsg+1.orig/base/ttinterp.c ++++ ghostscript-9.19~dfsg+1/base/ttinterp.c +@@ -4127,7 +4127,9 @@ static int nInstrCount=0; + Int point; + (void)args; + +- if ( CUR.top < CUR.GS.loop ) ++ if ( CUR.top < CUR.GS.loop || ++ BOUNDS(CUR.GS.rp1, CUR.zp0.n_points) || ++ BOUNDS(CUR.GS.rp2, CUR.zp1.n_points)) + { + CUR.error = TT_Err_Invalid_Reference; + return; diff -Nru ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9726.patch ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9726.patch --- ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9726.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9726.patch 2017-08-24 16:46:18.000000000 +0000 @@ -0,0 +1,23 @@ +From 7755e67116e8973ee0e3b22d653df026a84fa01b Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Thu, 15 Jun 2017 08:58:31 +0100 +Subject: [PATCH] Bug 698055: bounds check zone pointer in Ins_MDRP + +--- + base/ttinterp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: ghostscript-9.19~dfsg+1/base/ttinterp.c +=================================================================== +--- ghostscript-9.19~dfsg+1.orig/base/ttinterp.c ++++ ghostscript-9.19~dfsg+1/base/ttinterp.c +@@ -3768,7 +3768,8 @@ static int nInstrCount=0; + + point = (Int)args[0]; + +- if ( BOUNDS( args[0], CUR.zp1.n_points ) ) ++ if ( BOUNDS( args[0], CUR.zp1.n_points ) || ++ BOUNDS( CUR.GS.rp0, CUR.zp0.n_points) ) + { + /* Current version of FreeType silently ignores this out of bounds error + * and drops the instruction, see bug #691121 diff -Nru ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9727.patch ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9727.patch --- ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9727.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9727.patch 2017-08-24 16:52:44.000000000 +0000 @@ -0,0 +1,27 @@ +From 937ccd17ac65935633b2ebc06cb7089b91e17e6b Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Thu, 15 Jun 2017 09:05:20 +0100 +Subject: [PATCH] Bug 698056: make bounds check in gx_ttfReader__Read more + robust + +--- + base/gxttfb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/base/gxttfb.c b/base/gxttfb.c +index 0e9a444..e1561af 100644 +--- a/base/gxttfb.c ++++ b/base/gxttfb.c +@@ -79,7 +79,8 @@ static void gx_ttfReader__Read(ttfReader *self, void *p, int n) + if (!r->error) { + if (r->extra_glyph_index != -1) { + q = r->glyph_data.bits.data + r->pos; +- r->error = (r->glyph_data.bits.size - r->pos < n ? ++ r->error = ((r->pos >= r->glyph_data.bits.size || ++ r->glyph_data.bits.size - r->pos < n) ? + gs_note_error(gs_error_invalidfont) : 0); + if (r->error == 0) + memcpy(p, q, n); +-- +2.9.1 + diff -Nru ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9739.patch ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9739.patch --- ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9739.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9739.patch 2017-08-24 16:46:38.000000000 +0000 @@ -0,0 +1,26 @@ +From c501a58f8d5650c8ba21d447c0d6f07eafcb0f15 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Fri, 16 Jun 2017 08:29:25 +0100 +Subject: [PATCH] Bug 698063: Bounds check Ins_JMPR + +--- + base/ttinterp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: ghostscript-9.19~dfsg+1/base/ttinterp.c +=================================================================== +--- ghostscript-9.19~dfsg+1.orig/base/ttinterp.c ++++ ghostscript-9.19~dfsg+1/base/ttinterp.c +@@ -1793,6 +1793,12 @@ static int nInstrCount=0; + + static void Ins_JMPR( INS_ARG ) + { ++ if ( BOUNDS(CUR.IP + args[0], CUR.codeSize ) ) ++ { ++ CUR.error = TT_Err_Invalid_Reference; ++ return; ++ } ++ + CUR.IP += (Int)(args[0]); + CUR.step_ins = FALSE; + diff -Nru ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9835.patch ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9835.patch --- ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9835.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.19~dfsg+1/debian/patches/CVE-2017-9835.patch 2017-08-24 16:51:28.000000000 +0000 @@ -0,0 +1,107 @@ +From cfde94be1d4286bc47633c6e6eaf4e659bd78066 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 7 Jun 2017 14:55:12 +0100 +Subject: [PATCH] Bug 697985: bounds check the array allocations methods + +The clump allocator has four allocation functions that use 'number of elements' +and 'size of elements' parameters (rather than a simple 'number of bytes'). + +Those need specific bounds checking. +diff --git a/base/gsalloc.c b/base/gsalloc.c +index 0a4f220..4331a1e 100644 +--- a/base/gsalloc.c ++++ b/base/gsalloc.c +@@ -672,6 +672,18 @@ i_alloc_struct_immovable(gs_memory_t * mem, gs_memory_type_ptr_t pstype, + alloc_trace("|+<.", imem, cname, pstype, size, obj); + return obj; + } ++ ++static inline bool ++alloc_array_check_size(ulong num_elements, ulong elt_size, ulong *lsize) ++{ ++ int64_t s = (int64_t)num_elements * elt_size; ++ if (s > max_uint) { ++ return false; ++ } ++ *lsize = (ulong)s; ++ return true; ++} ++ + static byte * + i_alloc_byte_array(gs_memory_t * mem, uint num_elements, uint elt_size, + client_name_t cname) +@@ -679,12 +691,15 @@ i_alloc_byte_array(gs_memory_t * mem, uint num_elements, uint elt_size, + gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem; + obj_header_t *obj; + ++ ulong lsize; + #ifdef MEMENTO + if (Memento_failThisEvent()) + return NULL; + #endif + +- obj = alloc_obj(imem, (ulong) num_elements * elt_size, ++ if (alloc_array_check_size(num_elements, elt_size, &lsize) == false) ++ return NULL; ++ obj = alloc_obj(imem, lsize, + &st_bytes, ALLOC_DIRECT, cname); + + if_debug6m('A', mem, "[a%d:+b.]%s -bytes-*(%lu=%u*%u) = 0x%lx\n", +@@ -700,12 +715,15 @@ i_alloc_byte_array_immovable(gs_memory_t * mem, uint num_elements, + gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem; + obj_header_t *obj; + ++ ulong lsize; + #ifdef MEMENTO + if (Memento_failThisEvent()) + return NULL; + #endif + +- obj = alloc_obj(imem, (ulong) num_elements * elt_size, ++ if (alloc_array_check_size(num_elements, elt_size, &lsize) == false) ++ return NULL; ++ obj = alloc_obj(imem, lsize, + &st_bytes, ALLOC_IMMOVABLE | ALLOC_DIRECT, + cname); + +@@ -722,6 +740,7 @@ i_alloc_struct_array(gs_memory_t * mem, uint num_elements, + gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem; + obj_header_t *obj; + ++ ulong lsize; + #ifdef MEMENTO + if (Memento_failThisEvent()) + return NULL; +@@ -735,9 +754,9 @@ i_alloc_struct_array(gs_memory_t * mem, uint num_elements, + return NULL; /* fail */ + } + #endif +- obj = alloc_obj(imem, +- (ulong) num_elements * pstype->ssize, +- pstype, ALLOC_DIRECT, cname); ++ if (alloc_array_check_size(num_elements, pstype->ssize, &lsize) == false) ++ return NULL; ++ obj = alloc_obj(imem, lsize, pstype, ALLOC_DIRECT, cname); + if_debug7m('A', mem, "[a%d:+<.]%s %s*(%lu=%u*%u) = 0x%lx\n", + alloc_trace_space(imem), client_name_string(cname), + struct_type_name_string(pstype), +@@ -752,15 +771,16 @@ i_alloc_struct_array_immovable(gs_memory_t * mem, uint num_elements, + gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem; + obj_header_t *obj; + ++ ulong lsize; + #ifdef MEMENTO + if (Memento_failThisEvent()) + return NULL; + #endif + + ALLOC_CHECK_SIZE(mem,pstype); +- obj = alloc_obj(imem, +- (ulong) num_elements * pstype->ssize, +- pstype, ALLOC_IMMOVABLE | ALLOC_DIRECT, cname); ++ if (alloc_array_check_size(num_elements, pstype->ssize, &lsize) == false) ++ return NULL; ++ obj = alloc_obj(imem, lsize, pstype, ALLOC_IMMOVABLE | ALLOC_DIRECT, cname); + if_debug7m('A', mem, "[a%d|+<.]%s %s*(%lu=%u*%u) = 0x%lx\n", + alloc_trace_space(imem), client_name_string(cname), + struct_type_name_string(pstype), diff -Nru ghostscript-9.19~dfsg+1/debian/patches/series ghostscript-9.19~dfsg+1/debian/patches/series --- ghostscript-9.19~dfsg+1/debian/patches/series 2017-05-15 18:46:44.000000000 +0000 +++ ghostscript-9.19~dfsg+1/debian/patches/series 2017-08-25 13:18:50.000000000 +0000 @@ -25,3 +25,10 @@ CVE-2017-8291-1.patch CVE-2017-8291-2.patch CVE-2017-8291-regression.patch +CVE-2017-11714.patch +CVE-2017-9611.patch +CVE-2017-9612.patch +CVE-2017-9726.patch +CVE-2017-9727.patch +CVE-2017-9739.patch +CVE-2017-9835.patch